core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.
Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.
Its not clear to me why this commit was made.
NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.
If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.
CVE-2024-1086
(backported from commit f342de4e2f33e0e39165d8639387aa6c19dff660)
[bjamison: context conflict - upstream had changed the implicit 'fallthrough' in
the switch to explicit but the fix commit removes the switch completely so I
accepted the fix's incoming changes]
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
4c20dd0...
by
Wander Lairson Costa <email address hidden>
drm/qxl: fix UAF on handle creation
qxl_mode_dumb_create() dereferences the qobj returned by
qxl_gem_object_create_with_handle(), but the handle is the only one
holding a reference to it.
A potential attacker could guess the returned handle value and closes it
between the return of qxl_gem_object_create_with_handle() and the qobj
usage, triggering a use-after-free scenario.
Reproducer:
int dri_fd =-1;
struct drm_mode_create_dumb arg = {0};
==================================================================
BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
Write of size 1 at addr ffff88801136c240 by task poc/515
The buggy address belongs to the object at ffff88801136c000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 576 bytes inside of
freed 1024-byte region [ffff88801136c000, ffff88801136c400)
The buggy address belongs to the physical page:
page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Instead of returning a weak reference to the qxl_bo object, return the
created drm_gem_object and let the caller decrement the reference count
when it no longer needs it. As a convenience, if the caller is not
interested in the gobj object, it can pass NULL to the parameter and the
reference counting is descremented internally.
The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
Link: https://www.zerodayinitiative.com/
Signed-off-by: Wander Lairson Costa <email address hidden>
Cc: <email address hidden>
Reviewed-by: Dave Airlie <email address hidden>
Signed-off-by: Dave Airlie <email address hidden>
Link: https://patchwork<email address hidden>
CVE-2023-39198
(cherry picked from commit c611589b4259ed63b9b77be6872b1ce07ec0ac16)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
drm/qxl: remove _unlocked suffix in drm_gem_object_put_unlocked
Spelling out _unlocked for each and every driver is a annoying.
Especially if we consider how many drivers, do not know (or need to)
about the horror stories involving struct_mutex.
Just drop the suffix. It makes the API cleaner.
Done via the following script:
__from=drm_gem_object_put_unlocked
__to=drm_gem_object_put
for __file in $(git grep --name-only $__from); do
sed -i "s/$__from/$__to/g" $__file;
done
Cc: Dave Airlie <email address hidden>
Cc: Gerd Hoffmann <email address hidden>
Cc: David Airlie <email address hidden>
Signed-off-by: Emil Velikov <email address hidden>
Acked-by: Sam Ravnborg <email address hidden>
Acked-by: Gerd Hoffmann <email address hidden>
Acked-by: Thomas Zimmermann <email address hidden>
Link: https://patchwork.freedesktop<email address hidden>
CVE-2023-39198
(cherry picked from commit 9c86fb18ad9d3587e5112f096f0d0ec3cbf43a65)
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
phy: tegra: xusb: Fix return value of tegra_xusb_find_port_node function
callers of tegra_xusb_find_port_node() function only do NULL checking for
the return value. return NULL instead of ERR_PTR(-ENOMEM) to keep
consistent.
Signed-off-by: Miaoqian Lin <email address hidden>
Acked-by: Thierry Reding <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Vinod Koul <email address hidden>
(cherry picked from commit 045a31b95509c8f25f5f04ec5e0dec5cd09f2c5f)
CVE-2023-23000
Signed-off-by: Bethany Jamison <email address hidden>
Acked-by: Andrei Gherzan <email address hidden>
Acked-by: Jacob Martin <email address hidden>
Acked-by: Manuel Diewald <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>